In June, the American Data Privacy and Protection Act (ADPPA) was introduced. In July, ADPPA updates were made that allowed the bill to advance past a House committee hearing with a vote of 53-2. The bill will now head to the house floor for a vote. The bill has strong bipartisan support and there is hope from privacy advocates that the United States will soon get its first federal data privacy and protection law, rather than leaving these important issues to individual states to address.
A federal data privacy bill is long overdue. In Europe, the General Data Protection Regulation (GDPR) took effect four years ago, and many countries have introduced their own data privacy regulations, yet in the United States, all previous attempts to introduce federal privacy laws have failed. In fact, no bill has made it as far as the ADPPA has, and while there is strong support, even with the ADPPA updates there is still a long way to go to get the bill over the line and onto the president’s desk for a signature.
Criticisms of the ADPPA
The strong support – passing 53-2 – does not tell the whole story. Several committee members voted in favor of ADPPA but have voiced their concerns about the bill with some going as far as saying they would not vote for the bill in its current form and that they voted in favor to ensure the bill advanced. They would need to see modifications made or be convinced to change their minds in order to vote in favor. There is strong support in the Senate, but again, there is some way to go. For instance, Senate Commerce Committee Chair Maria Cantwell is concerned about the lack of enforcement and said she would not vote for the bill and her vote is important for ADPPA to pass through the Senate. Cantwell is not alone in that view.
The FTC would be the regulator of ADPPA compliance but the ability of the FTC to enforce compliance will be limited. For a start, the FTC’s budget is already stretched, and there are no further funds being made available to cover enforcement of ADPPA compliance. State attorneys general could assist with enforcement, but states that have not introduced strong privacy laws may not feel compelled to do so. There is a private right of action, which allows individuals to take legal action over violations of ADPPA, but the private right of action does have limitations, although these have been watered down in the latest revision.
One of the major sticking points is the preemption of state laws. This is certainly an issue in California where ADPPA would see a watering down of privacy protections. This has partially been addressed in the latest revision of ADPPA – more about that later. The revised ADPPA does address many of the criticisms of the bill, and certainly enough for the bill to advance, but some House Representatives and Senators may need a lot of convincing to vote for the bill.
Criticisms aside, considerable work has gone into getting ADPPA to this stage and there is hope that this is the bill to introduce federal standards for privacy and data protection. There is also a strong belief that with the latest ADPPA updates, the bill is the best ever chance to get data privacy and protection requirements signed into law at the federal level and correct all the missed opportunities for improving privacy for all Americans.
July 2022 ADPPA Updates
You can view the main requirements for ADPPA compliance in this post, but here we will focus on the July ADPPA updates that saw the bill head to the House floor for a vote. Several changes have been made to the text of the bill to clear up confusion, remove potential loopholes, and clarify the requirements of the bill. A useful summary of the ADPPA updates has been shared by @viaChristiano of the Washington Post. The main ADPPA updates are detailed below.
California Gets to Enforce ADPPA Compliance
California is one of the states that would see a reduction in privacy protections for state residents as the state has introduced a comprehensive privacy law – the California Consumer Privacy Act (CCPA) – and the California Privacy Rights Act (CPRA), which further expanded protections for state residents. These laws are actively enforced by the California Privacy Protection Agency (CPPA). In an effort to win support, ADPPA updates include an amendment to allow the CPPA to enforce ADPPA compliance. Enforcement of ADPPA compliance in all other states falls upon the FTC and state attorneys general.
Private Right of Action Delay Shortened to 2 Years
The private right of action in ADPPA was delayed for 4 years; however, the revised ADPPA sees that delay reduced to two years from the date ADPPA is signed into law. This change will go some way toward addressing the concerns of Representatives and Senators about the lack of enforcement of ADPPA compliance.
Small Businesses Exempt from Private Right of Action
The private right of action in ADPPA allows individuals to take legal action against companies that have violated their rights under ADPPA, and that could have a huge toll on small businesses. Pro-business states such as Utah will certainly welcome the move to remove the private right of action against small businesses, which are classed as any business with revenues of less than $25 million that engage with the covered data of fewer than 50,000 individuals, and earn less than half of their revenue from transferring covered data.
Tiers Introduced for Knowledge an Individual is Under 17 Years
ADPPA treats the covered data of adults and minors differently, and places very strict controls over the use of minors’ data – individuals under 17 years of age. ADPPA prevented companies from using minors’ data for targeted advertising if they had knowledge that an individual is under 17 years of age. A tiered approach has been introduced in the revised ADPPA regarding knowledge of an individual’s age, which is based on the size of a company.
Constructive knowledge – applies to high-impact social media companies that know or should have known that an individual is under 17 years old. Willful disregard applies to all large data holders and service providers who are aware that an individual is under 17 years of age. Actual knowledge applies to all other businesses that do not fall into the previous categories.
National Center for Missing and Exploited Children Exempted
Without access to the data of minors, the National Center for Missing and Exploited Children would be unable to perform its important functions of tackling child trafficking, abduction, and abuse. The ADPPA has been revised to exempt the National Center for Missing and Exploited Children, which will be able to continue to work with the data of minors under 17 years of age.
Employee Data Further Exempted from ADPPA
Employee data is exempt from ADPPA but the language has now been changed to clarify that employee data also includes data that is used solely for professional activities on behalf of the business.
ADPPA Will Still Preempt State Laws
A major sticking point is the preemption of state laws. While some states will benefit from greater privacy protections, others will see a reduction. One area where changes to ADPPA were requested is the issue of preemption. 10 state attorneys general wrote to congressional leaders requesting states be given the option of increasing privacy protections for state residents, suggesting a federal privacy law should set a baseline for data privacy and protection rather than a ceiling. However, this aspect of ADPPA remains unchanged.
What Happens Next?
The ADPPA updates have seen the bill pass the House Committee vote so it now heads to the House floor, where House Representatives will vote on the bill. If the bill wins the support of a majority of House Representatives, the bill will then advance to the Senate Committee on Commerce, Science, and Transportation, which will scrutinize the bill. If the bill survives, it will head to the Senate floor for a vote – the final stage in the process before heading to the president’s desk. President Biden will then have the final say, and if the bill is signed, it will become the first federal data privacy and protection bill to be signed into law. There is strong support, but it is unlikely that ADPPA will reach the president’s desk without further amendments. Whether those amendments can be made without losing its current strong bipartisan support remains to be seen.